National People's Congress Standing Committee Decision Regarding Strengthening Network Information Protection
(Passed at the 30th Meeting of the 11th Plenum of the National People's Congress Standing Committee on December 28, 2012)
In order to protect Internet information security, ensure the legal rights and interests of citizens, legal persons, and other groups, and safeguard national security and the public interest, it is hereby decided as follows:
1. The State protects electronic information that can distinguish a citizens' personal identity and that relates to citizens' personal privacy.
An organization and individual may neither steal or obtain through illegal means citizens' personal electronic information, nor sell or illegally provide to a third party citizens' personal electronic information.
2. Network service providers and other enterprises that collect or utilize citizens' personal electronic information in the course of business activities shall abide by the principles of legality, legitimacy, and necessity, clearly explain the purpose, manner, and scope of collection, and shall not, without the approval of the individual whose information is being collected, collect or use information in a manner that violates the provisions of laws and regulations, and the agreements of both parties.
Network information providers and other enterprises that collect or utilize citizens' personal electronic information shall publicize their rules for collection and utilization.
3. Network service providers and other enterprises and their employees must strictly preserve the confidentiality of citizens' personal electronic information collected during the course of business activities, and may not disclose, falsify, or damage it, and may not sell or illegally provide it to third parties.
4. Network service providers and other enterprises shall adopt technical and other necessary measures, ensure information security, and prevent the disclosure, damage, or loss of citizens' personal electronic information collected during the course of business activities. Remedial measures shall be immediately taken when information has or may have been disclosed, damaged, or lost.
5. Network service providers shall strengthen their management of information issued by their users, and upon discovering the issuance or transmission of information prohibited by law or regulation it shall immediately cease transmission of said information, and adopt measures to dispose of it, such as removing it, retain relevant records, and report it to the relevant agency.
6. When entering into agreements or confirming the provision of services with users, network service providers who provide users network connection services, conduct network access procedures for fixed and mobile telephones, or who provide users with information issuing services shall require users to provide truthful identity information.
7. No organization or individual may send commercial electronic information to a fixed line or mobile telephone or an individual's email address if it has not obtained the approval of, or a request from, the electronic information recipient, or if the electronic information recipient has clearly expressed its refusal.
8. Citizens who discover network information that discloses an individual's identity, disseminates an individual's private affairs, or otherwise infringes upon their legal rights and interests, or who is harassed by receiving commercial electronic information, has the right to require the network service provider to delete the relevant information or adopt other necessary measures to stop it.
9. Every organization and individual has the right to file a complaint or accusation to the relevant responsible agency regarding any criminal activity relating to the provision of citizens' personal electronic information to a third party through theft or its acquisition or sale through illegal means or other network information illegal criminal activity. Upon receipt of a complaint or accusation, the agency shall handle it promptly in accordance with law. A person whose rights have been infringed may file a lawsuit in accordance with the law.
10. Relevant responsible agencies shall perform their responsibilities within the scope of their statutory authority in accordance with the law, and shall adopt technical and other necessary measure to prevent, stop, investigate and prosecute the illegal provision of citizens' personal electronic information to a third party through theft or its acquisition or sale through illegal means or other network information illegal criminal activity. Network service providers shall provide cooperation and technical support to relevant responsible agencies in the course of their performing their responsibilities in accordance with the law.
State agencies and their staff shall maintain the confidentiality of citizens' personal electronic information that they learn during the course of fulfilling their duties, and shall not disclose, falsify, or damage it, and shall not sell or illegally provide it to third parties.
11. Activities that violate this Decision shall result in sanctions including warnings, fines, confiscation of illegal gains, revocation of license or cancellation of registration, closure of website, banning of relevant responsible employees from operating network service businesses, and shall be logged in social credit registries and publicized. Activities that constitute violations of public security administration shall be subject to public security administration sanctions in accordance with the law. Where a crime has been committed, criminal responsibility shall be pursued in accordance with the law. Those who infringe upon citizens' civil rights and interests shall bear civil responsibility in accordance with the law.
12. This Decision shall become effective on the day it is publicized.